Why is it important to have a Network Security Policy?

The short and direct answer is, to protect a company’s assets.  Those assets being hardware and data ranging from servers and workstations to vital applications and classified employee and commercial information.

Most companies know the answer but have a hard time defining what it is they need to protect. It isn’t an easy process and should take some time to implement in order to include everything that needs to be included; however, a Network Security Policy is a “living document”. As technology and employee requirements change, the document needs to be updated to reflect those changes.

Generally, the policy is used to inform employees, specify mechanisms for security, and provide a baseline. Well defined security policies will protect people and information, set up rules for expected behavior, authorize staff to monitor, probe, and investigate, and also defines the consequences of violations not only for internal users but also external entities such as company partners, customers, suppliers, consultants, and contractors.

Most IT Providers and Industry leaders agree that a security policy should use a variety (or suite) of policy documents to meet the range of needs of a company.

CISCO Systems states the following with regards to the hierarchy of a corporate policy structure that will effectively meet the needs of all audiences:

• Governing Policy: This policy is a  high-level treatment of security concepts that are important to the company. Managers and technical custodians are the intended audience. The governing policy controls all security-related interaction among business units and supporting departments in the company. In terms of detail, the governing policy answers the “what” security policy questions.
• End-User Policies: This document covers all security topics important to end users. In terms of detail level, end-user policies answers the “what”, “who”, “when”, and “where” security policy questions.
• Technical Policies: Security staff members use technical policies as they carry out their security responsibilities for the system. These policies are more detailed than the governing policy and are system or issue specific (for example; access control or physical security issues). In terms of detail, technical policies answer the “what”, “who”, “when”, and “where” security policy questions. The “why” is left to the owner of the information.

There is no one-single network Security Policy template that works for every company out there. A policy has to be customized in order to fit the needs of that particular company. Consult your IT Department or IT Provider when you are ready. They will be able to provide you with the direction you will need in developing and implementing your Network Security Policy.

References: http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3